I have setup forwarder to dump my cloudfront logs to splunk, below is the raw logs format. I have tried following http://docs.splunk.com/Documentation/AddOns/released/CiscoWSA/Configurew3clogfieldextractions matching cloudfront logs but no luck. Below is how I have setup props & transforms.conf. I'm able to see the raw data in splunk, but I want to map to event name so i can query them.
I'm trying to follow as mentioned in http://answers.splunk.com/answers/57770/transforms-conf-and-props-conf-field-extractions.html
#Raw Logs
2015-01-27 12:48:48 JAX1 1871 71.1.1.16 GET d21rhj.cloudfront.net /test/20150112/54b48398e4b0f8e9e9d6ddf2_141391808196.mp4 200 http://www.test.com/demo.html Mozilla/5.0%2520(Windows%2520NT%25206.0;%2520WOW64)%2520AppleWebKit/537.36%2520(KHTML,%2520like%2520Gecko)%2520Chrome/39.0.2171.95%2520Safari/537.36 - - Hit Ba3xwT-zb-czH_zw== v.test.com http 637 0.002
#transforms.conf
[auto_kv_for_video_cloudfront_w3c]
REGEX=/\S+/g
FORMAT=date::$1,time::$2,x_edge_location::$3,sc_bytes::$4,c_ip::$5,cs_method::$6,cs_Host::$7,cs_uri_stem::$8,sc_status::$9,cs_referer::$10,cs_user_agent::$11,cs_uri_query::$12,cs_cookie::$13,x_edge_result_type::$14,x_edge_request_id::$15,x_host_header::$16,cs_protocol::$17,cs_bytes::$18,time_taken::$19
#props.conf
[cloudfrontprof]
pulldown_type=1
REPORT-auto_kv_for_video_cloudfront_w3c=auto_kv_for_video_cloudfront_w3c
... View more